Skip to content

Commit

Permalink
bpf: host: provide src_sec_identity in to-netdev's drop events
Browse files Browse the repository at this point in the history 
As we now have a mark-derived src_sec_identity available, we might as well
share this bit of information with the user.

Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
  • Loading branch information
@julianwiedmann
julianwiedmann committed Apr 9, 2024
1 parent 5700076 commit 1ce886d
Showing 1 changed file with 14 additions and 10 deletions.
24 changes: 14 additions & 10 deletions bpf/bpf_host.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1364,7 +1364,8 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
if (allow_vlan(ctx->ifindex, vlan_id))
return CTX_ACT_OK;
else
return send_drop_notify_error(ctx, 0, DROP_VLAN_FILTERED,
return send_drop_notify_error(ctx, src_sec_identity,
DROP_VLAN_FILTERED,
CTX_ACT_DROP, METRIC_EGRESS);
}
}
Expand All @@ -1375,7 +1376,8 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)

ctx->mark = 0;
tail_call_dynamic(ctx, &POLICY_EGRESSCALL_MAP, lxc_id);
return send_drop_notify_error(ctx, 0, DROP_MISSED_TAIL_CALL,
return send_drop_notify_error(ctx, src_sec_identity,
DROP_MISSED_TAIL_CALL,
CTX_ACT_DROP, METRIC_EGRESS);
}
#endif
Expand Down Expand Up @@ -1416,8 +1418,9 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
}
out:
if (IS_ERR(ret))
return send_drop_notify_error_ext(ctx, 0, ret, ext_err,
CTX_ACT_DROP, METRIC_EGRESS);
return send_drop_notify_error_ext(ctx, src_sec_identity,
ret, ext_err, CTX_ACT_DROP,
METRIC_EGRESS);

skip_host_firewall:
#endif /* ENABLE_HOST_FIREWALL */
Expand Down Expand Up @@ -1447,8 +1450,8 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
return ret;
}
if (IS_ERR(ret))
return send_drop_notify_error(ctx, 0, ret, CTX_ACT_DROP,
METRIC_EGRESS);
return send_drop_notify_error(ctx, src_sec_identity, ret,
CTX_ACT_DROP, METRIC_EGRESS);
}
#endif /* ENABLE_ENCRYPTED_OVERLAY */

Expand Down Expand Up @@ -1477,13 +1480,14 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
if (ret == CTX_ACT_REDIRECT)
return ret;
else if (IS_ERR(ret))
return send_drop_notify_error(ctx, 0, ret, CTX_ACT_DROP,
METRIC_EGRESS);
return send_drop_notify_error(ctx, src_sec_identity, ret,
CTX_ACT_DROP, METRIC_EGRESS);
}

#if defined(ENCRYPTION_STRICT_MODE)
if (!strict_allow(ctx))
return send_drop_notify_error(ctx, 0, DROP_UNENCRYPTED_TRAFFIC,
return send_drop_notify_error(ctx, src_sec_identity,
DROP_UNENCRYPTED_TRAFFIC,
CTX_ACT_DROP, METRIC_EGRESS);
#endif /* ENCRYPTION_STRICT_MODE */
#endif /* ENABLE_WIREGUARD */
Expand All @@ -1510,7 +1514,7 @@ int cil_to_netdev(struct __ctx_buff *ctx __maybe_unused)
exit:
#endif
if (IS_ERR(ret))
return send_drop_notify_error_ext(ctx, 0, ret, ext_err,
return send_drop_notify_error_ext(ctx, src_sec_identity, ret, ext_err,
CTX_ACT_DROP, METRIC_EGRESS);
send_trace_notify(ctx, TRACE_TO_NETWORK, 0, 0, 0,
0, trace.reason, trace.monitor);
Expand Down

0 comments on commit 1ce886d

Please sign in to comment.